EnCase 7.09.04: Extracting Passwords from OS X Keychains

Ken Mizota

EnCase 7.09.04 is now available and contains several enhancements to make your investigations more efficient and comprehensive. Today’s digital investigators face a constant struggle to maintain comprehensive investigative skill sets, while continuously improving efficiency in the face of overwhelming growth of evidence and diversity of malfeasance. EnCase 7.09.04 makes reporting more efficient with the Flexible Reporting Template and reduces investigator effort by enabling decryption of McAfee Endpoint Encryption devices with the 64-bit EnCase Examiner. EnCase 7.09.04 expands on the strongest Windows-based investigation capabilities of OS X machines, adding the ability to decrypt and extract passwords from OS X keychains.

To gain access to this release register your dongle and you’ll receive a MyAccount email with download links.

In this article, I'll walk through the information that can be extracted from keychains and also provide sample EnScript-based techniques to expose this data in EnCase.

3 Ways to Make IEF and EnCase Work Better Together

Jamie McQuaid, EnCE, Magnet Forensics

As forensic examiners we all use a variety of tools to conduct our investigations. Because the types and needs of every case vary, so must the tools that support them. We all have our favorites but typically an investigator’s toolbox will be filled with a variety of tools to assist with every scenario we encounter.

Investigators are always taught to use the best tool for the job and to work through cases thoroughly and efficiently. Internet Evidence Finder (IEF) has become a valuable tool for those of us working on cases requiring the analysis of Internet evidence and large volumes of data. IEF is specifically developed to intelligently recover Internet related artifacts from Windows, Mac, Linux, iOS, and Android devices enabling investigators to analyze large amounts of case data quickly and efficiently.

Version 7 Tech Tip: Spotting Full Disk Encryption

Graham Jenkins, Guidance Software, Technical Services Engineer

With data breaches and data security pushed into the news on seemingly daily basis, we expect today’s digital investigators to be faced with encryption technology more frequently. For those with something to hide, the use of strong encryption has been widely promoted. For those with data they would like to protect, the use of strong encryption is becoming more commonplace by the day. Most enterprises know full disk and file-level encryption is a necessity if you have something worth protecting. Underlining the trend, Windows 8.1 has designs in place to enable BitLocker encryption by default when appropriate hardware is present. One of the strengths of EnCase over the years have been the ability to identify encryption and decrypt evidence in place, exposing data for investigation, without altering its contents.

SysTools Outlook Exporter for EnCase – No Outlook Installation Required

Debasish Pramanik, SysTools Software Private Limited

SysTools Outlook Exporter is a plug-in that lets you export mail records found in EnCase Forensic into a Microsoft Outlook PST format file, with no need to install Microsoft Outlook on the machine.

The plug-in package includes SysTools Outlook Viewer, which lets you view the exported PSTs in an Outlook-friendly manner, again without the requirement of having Outlook installed on your local machine. It supports Microsoft Outlook versions 2013, 2010, 2007, 2003 and 2000. With this plug-in, digital forensic investigation teams can enhance the power of EnCase in making their investigations faster.

Digital Forensic Investigators’ Skills are Critical as Investigations Grow More Complex

Robert Bond

Digital forensic evidence is playing a larger role in determining the guilt or innocence of defendants in both civil and criminal matters. As technology captures movement, messages, photos, and the vast majority of what is done on laptops, smartphones, and tablets, it’s increasingly difficult for criminals to cover their digital tracks.

Part 2 - So much evidence, so many artifacts, so little time…

Ken Mizota

In my last post, I summarized a handful of apps that are useful to search and explore your case, and apps that help with malware investigations. For latest updates on apps go to EnCase App central directly, or follow us on twitter @EnCase.

Without further ado, here are some more apps that we hope can help you make your case:

Part 1 - So much evidence, so many artifacts, so little time…

Ken Mizota

I’ve recently taken to tweeting about some of the latest additions to EnCase App Central and it’s been a reminder of the impressive ingenuity and dedication within the digital investigations community. Our humble app store has grown to house over 100 solutions, extending and increasing the efficiency and efficacy of digital investigations. At Guidance Software, we take pride in shipping software that helps investigators find more evidence, faster and we see EnCase App Central as a key component of EnCase.

EnScript Changes From EnCase Version 6 to Version 7

You may know that Version 6 of EnCase keeps the majority of data in memory, which gives you fast access to the evidence items in a case, but is not conducive to handling large data sets. In addition, keeping most data in memory requires that records and entries be handled separately.

EnCase Version 7 behaves in a similar way to a database in that working through multiple evidence items is accomplished using an iterator. This makes for more stable processing and allows the EnScript programmer to handle both entries and records in a more streamlined way. It is possible, for instance, to iterate through all of the evidence items in a case (entries and e-mail attachments, for instance), quickly identifying those items that are pictures or documents.